An Efficient Certificateless Anonymous Signcryption Scheme for WBAN

A Wireless Body Area Network (WBAN), introduced into the healthcare sector to improve patient care and enhance the efficiency of medical services, also brings the risk of the leakage of patients’ privacy. Therefore, maintaining the communication security of patients’ data has never been more important. However, WBAN faces issues such as open medium channels, resource constraints, and lack of infrastructure, which makes the task of designing a secure and economical communication scheme suitable for WBAN particularly challenging. Signcryption has garnered attention as a solution suitable for resource-constrained devices, offering a combination of authentication and confidentiality with low computational demands. Although the advantages offered by existing certificateless signcryption schemes are notable, most of them only have proven security within the random oracle model (ROM), lack public ciphertext authenticity, and have high computational overheads. To overcome these issues, we propose a certificateless anonymous signcryption (CL-ASC) scheme suitable for WBAN, featuring anonymity of the signcrypter, public verifiability, and public ciphertext authenticity. We prove its security in the standard model, including indistinguishability, unforgeability, anonymity of the signcrypter, and identity identifiability, and demonstrate its superiority over relevant schemes in terms of security, computational overheads, and storage costs.


Introduction
The latest data by the World Health Organization (WHO) reveals that the average global life expectancy has reached 73.4 years.Furthermore, demographic projections estimate that by 2050, the number of individuals aged 60 and above will surge to 2.1 billion.This demographic shift towards an older population is exacerbating the shortage of medical resources, making healthcare for the elderly a critical issue for nations worldwide.The escalating costs of healthcare have driven medical systems to embrace new technologies to enhance current practices.To capitalize on the benefits of wireless technology in the realms of telemedicine and mobile health, a novel type of wireless network has emerged: the Wireless Body Area Network (WBAN) [1].The WBAN is a specialized sensor network that facilitates the exchange of vital health information between patients and healthcare providers via the internet.
A standard WBAN encompasses an array of either implantable [2,3] or wearable sensor nodes and control units [4].The role of these sensor nodes is to diligently monitor the critical physiological parameters of individuals, covering a range of critical health indicators such as blood pressure, oxygen saturation levels, respiratory rate, heart rate, skin temperature, and various other essential signs of life.In addition to these vital signs, they also measure environmental factors, such as ambient temperature, humidity levels, and light intensities.
The sensor nodes engage in communication with a central controller, which acts as a conduit for relaying the aggregated health data to medical personnel and servers within the network.The WBAN framework is shown in Figure 1.The implementation of WBAN has significantly enhanced the efficiency of healthcare delivery, as it reduces the frequency with which patients need to visit hospitals.Furthermore, the system is capable of facilitating clinical diagnoses and providing some emergency medical responses.Given the significant role that WBAN will play in the healthcare system, it is projected that the WBAN market will exceed 19 trillion US dollars in the next few years [5].It is expected that there will be 100 billion Internet of Things (IoT) devices in operation globally by the year 2025, with an expected economic impact that will exceed 11 trillion US dollars [6]. Garnering enormous economic interest, WBAN may be confronted with the risks of data misuse and infringement of user privacy.Although various countries are continuously improving their regulatory systems, their strategies focus on effectiveness and security.For example, the EU's General Data Protection Regulation (GDPR), which came into effect in May 2018, granted privacy regulatory authorities the right to impose fines or file lawsuits against individual companies.It drives societal attention to privacy and security.Whitefield Diffie and Susan Landau concluded that we can best protect our communications through encryption in their book Privacy on the Line.Cryptography has long been a tool for securing communications and protecting privacy.The fundamental goal of cryptography is to achieve secure communication, and it has been observed that the privacy of ordinary people may be infringed upon in communications, which has led to questions being raised about the field of cryptography.The cryptography community has begun to focus on the social impact of its work.For instance, the Association for Computing Machinery (ACM) upholds detailed codes of ethics and professional conduct, including directives on honesty, privacy, and societal contribution [7].The American Mathematical Society (AMS) and Mathematical Association of America (MAA) provide more generalized guidance on ethical conduct: The MAA requires Directors, Officers, Members, those compensated by the MAA and those donating their time, and all employees, to observe high standards of business and personal ethics in the conduct of their duties and responsibilities [8].When mathematical work may affect the public health, safety or general welfare, it is the responsibility of mathematicians to disclose the implications of their work to their employers and to the public, if necessary [9].Yet, the International Association for Cryptologic Research (IACR), despite its focus on cryptography, lacks a comprehensive ethical statement.Phillip Rogaway [10] emphasized the ethical responsibilities of cryptography work, not only to focus on technical and mathematical challenges but also to recognize the impact of their work in society, and to be driven by ethics to make more meaningful contributions to society.Designing cryptography schemes requires a reflective approach that navigates complex ethical terrains, considering how cryptography tools and techniques affect social norms and values, and is capable of both protecting individual privacy and enabling surveillance.
The core element of ensuring the security of WBAN systems lies in the establishment of an efficient security framework.Within this framework, the two major security challenges of authentication and confidentiality are particularly crucial and require urgent solutions.In response to these challenges, encryption technology and digital signatures have been widely adopted as effective means to enhance security and verification mechanisms.In practice, when both encryption and signature functions are required concurrently, a common approach is to prioritize signature processing followed by encryption, in order to ensure the integrity and confidentiality of information.However, given the stringent constraints of low-power sensor devices in WBANs, such as limited onboard energy and central processing unit (CPU) processing capabilities, executing complex encryption programs appears impractical.To overcome this technical barrier, an innovative "signcryption" technology [11] has emerged, which ingeniously combines the functions of signing and encryption.This not only simplifies the operational process but also adapts to resource-constrained environments.Most importantly, compared to the traditional method of signing first and then encrypting, signcryption technology exhibits greater applicability in resource-constrained application scenarios such as WBANs due to its higher cost-effectiveness.
Currently, in response to the security challenges faced by WBANs, scholars have conducted extensive research from multiple angles and designed a series of signcryption schemes to tackle the security challenges faced by WBANs [12][13][14][15][16].The core of these schemes lies in the establishment of three major cryptographic systems: the Public Key Cryptography (PKC), Identity-based Public Key Cryptography (ID-PKC), and Certificateless Public Key Cryptography (CL-PKC).During the process of system deployment, PKC often confronts intricate challenges related to certificate management.While ID-PKC can effectively bypass the difficulties of certificate management encountered in PKC, its drawback lies in the necessity of implementing a key escrow mechanism.Although a lightweight ID-PKC is highly suitable for resource-constrained WBANs, the security is compromised when the Private Key Generator (PKG) is compromised, as the PKG learns the private keys of all users.In other words, the PKG can decrypt ciphertexts in Identity-Based Encryption (IBE) schemes and can forge signatures for messages in Identity-Based Signature (IBS) schemes.Therefore, ID-PKC is only suitable for small-scale networks like WBANs, rather than large-scale networks such as the Internet.In this context, where the communication between Internet users and WBANs is being considered, CL-PKC emerges as an ideal choice compared to ID-PKC.
However, WBAN utilizes public communication channels, making the transmitted data highly vulnerable to eavesdropping, interception, replay, forgery, and tampering by adversaries.Therefore, it is very important to design an efficient and secure CLSC scheme to realize secure communication in WBAN.In order to achieve security, we must overcome a series of technical challenges [17][18][19].The scope of these challenges covers a wide range of issues, including confidentiality, integrity, authentication, non-repudiation [5], anonymity, public verifiability, and public ciphertext authenticity.To tackle the aforementioned challenges, we present a certificateless anonymous signcryption (CL-ASC) scheme specifically for WBAN.Under the standard model, we have demonstrated that the scheme satisfies the requirements of anonymity of the signcrypter, and identity identifiability.

Related Work
The following related work can be focused on from two aspects: firstly, research regarding the CLSC Scheme itself; secondly, the application and exploration of the CLSC scheme within WBANs.
To eliminate key escrow in ID-PKC and simplify the certificate management in traditional PKC, Al-Riyami and Paterson [20] introduced the concept of CL-PKC.In CL-PKC, a user's complete private key comprises two parts: one is a partial private key generated by KGC, and the other is a secret value generated by the user themselves.Additionally, public keys do not require certificates.Therefore, the certificateless public key cryptosystem boasts significant advantages and has garnered widespread attention since its inception [21][22][23][24].In 2008, Barbosa and Farshim [23] combined the certificateless public key system with signcryption to introduce the Certificateless Signcryption (CLSC) scheme, while also defining the formal security concepts of CLSC schemes.The certificateless signcryption has the advantages of both the certificateless public key cryptographic system and signcryption.Building on this foundational work, numerous CLSC schemes have been proposed [25][26][27][28][29][30][31][32], but most of them have been proven secure in the ROM.It is well known that proofs in the ROM serve only as heuristic evidence and do not necessarily imply security in practical implementations [33].Therefore, it is imperative to consider how to construct provably secure schemes without relying on random oracles.In 2010, Liu et al. [24] first proposed a certificateless signcryption scheme in the standard model; unfortunately, this model is insecure in the face of a malicious but passive Key Generation Center (KGC) and a public key substitution attack [34][35][36].Subsequently, Jin et al. [37] adopted a new method to optimize and improve Liu's scheme and proved that their improved scheme is secure in the standard model.However, Xiong [38] demonstrated that Jin's scheme is not resistant to chosen ciphertext attacks and is vulnerable to malicious but passive KGC attacks.In 2017, Luo et al. [28] constructed a CLSC scheme and claimed to achieve unforgeability against adaptive chosen message attacks and ciphertext indistinguishability against adaptive chosen ciphertext attacks in the standard model.However, Yuan [39] pointed out that the scheme [28] failed to fulfil its purported security claims.Subsequently, Rastegari et al. [40] discovered a critical flaw in the scheme and proposed a revised CLSC scheme, but Lin [41] analyzed it and concluded that the scheme [40] was insecure.Therefore, how to propose a secure certificateless signcryption scheme under the standard model remains an open question.
There are two types of adversaries in certificateless cryptosystems.The Type I adversary, A 1 , mimics an "external" adversary who does not know the master secret key but can replace anyone's public key.The Type II adversary, A 2 , mimics an "internal" adversary who knows the master secret key but cannot replace anyone's public key.It should be noted that A 2 only encompasses the "honest-but-curious" KGC, but a malicious and passive KGC may attempt to decrypt ciphertexts or forge signatures by embedding additional trapdoors in the public parameters [29].Therefore, a stronger security model is needed to capture the operations of a malicious yet passive KGC.In 2007, Au et al. [42] introduced the concept of a malicious yet passive KGC as a Type II adversary.This type of attacker is malicious during the initial setup phase of the system, thereby allowing the Type II adversary to generate all public parameters and the master secret key.For adversary A 2 , a malicious yet passive A 2 attack is more realistic and powerful than an honest-but-curious A 2 attack.To resist attacks by a malicious but passive KGC and public key substitution attacks, we consider the malicious but passive KGC as a Type II adversary A 2 in our security model and grant A 2 the ability to replace public keys.
In 2016, Li et al. [43] debuted a CLSC scheme aimed at WBAN access control, claiming it met various security criteria, such as authentication, confidentiality, and non-repudiation, indicating its broad applicability.Unfortunately, the scheme was still vulnerable to replay attacks and lacked public verifiability [44].In 2018, Li et al. [45] proposed a new CLSC scheme within an economical and anonymous access control mechanism for WBAN, claiming it encompassed security features like anonymity, confidentiality, authentication, integrity, and non-repudiation.However it is noteworthy that their security proofs were conducted in the ROM, and it lacked consideration for public verifiability and publicly ciphertext authenticity.In the same year, Lu et al. [46] developed a traceable threshold attribute signature scheme, aimed at providing better security for mobile healthcare social networks (MHSN).The article claims that the scheme has correctness, unforgeability, traceability, and privacy.However, the security proof of the scheme is also implemented in the ROM and lacks public verifiability and public ciphertext authenticity.In 2018, Liu [47] proposed a lightweight CLSC scheme based on RSA, and designed a lightweight and efficient WBAN data access control scheme.The article claims that the scheme can meet more security requirements in WBAN.However, the scheme's security is only proven in the ROM.The existing certificateless signcryption-based data access control schemes have the following two weaknesses: (1) most of the security proofs are implemented in ROM.(2) most of the schemes lack anonymity, public verifiability, and publicly ciphertext authenticity.Subsequently, the use of our proposed CLSC scheme to design an efficient and secure WBAN data access control scheme can be considered.

Motivations and Contributions
Wireless Body Area Networks (WBANs) play a significant role in monitoring health information and creating efficient healthcare systems.The task of designing a secure and economical communication scheme suitable for WBANs is made particularly challenging due to the inherent characteristics of WBANs, such as the open medium channel and the limited resources of sensor nodes.Signcryption is an encryption technology that can simultaneously achieve the functions of public key encryption and digital signatures, which can authenticate users and protect query messages at the same time.It can achieve confidentiality, authentication, integrity, and non-repudiation at a low cost, which is suitable for WBANs.The CLSC schemes proposed in recent years have the following weakness:

•
The security proofs of most schemes are implemented in ROM.However, the CLSC schemes with provable security in ROM may have vulnerabilities in practical applications.

•
A Type II adversary in the security models of most schemes is considered a "honest but curious" KGC, but in reality, this may be a "malicious but passive" KGC.

•
The schemes lack public verifiability and public ciphertext authenticity.This leads to the receiver having to decrypt the ciphertext first and then verify its validity.If the ciphertext is invalid, the decryption work will be wasted.• Most schemes do not have anonymity of the signcrypter.This is not conducive to protecting the privacy of the sender.• High computational cost.In order to complete a signcryption-unsigncryption algorithm, the scheme requires multiple pairing operations, which is not suitable for low-power devices.
Therefore, the purpose of this paper was to introduce a scheme that is both efficient and secure, addressing the aforementioned concerns.The contributions of this paper are as follows: • We introduce a CL-ASC scheme which is suitable for WBAN, with anonymity of the signcrypter, public verifiability, public ciphertext authenticity, and identifiable identity.
There are very few CL-ASC schemes that have all these special features.Compared to other schemes, our scheme has very powerful functions and shows some degree of innovation.

•
We provided a stronger security model for the CL-ASC scheme.Our security model considers a malicious but passive KGC as a Type II adversary, which can generate all public parameters and the master secret key during the initial system setup stage, and is endowed with stronger capabilities.In addition, both Type I and Type II adversaries can directly compute hash functions to obtain results.This significantly enhances the capabilities of the adversaries, making the scheme more secure and more aligned with real-world scenarios.

•
We demonstrate that our scheme possesses indistinguishability, unforgeability, anonymity of the signcrypter, and identity identifiability in the standard model.

•
Compared to the related schemes, our scheme offers superior security performance, along with reduced computational overheads and storage costs, and offers better security, making it more suitable for WBAN.

Organization
The subsequent sections are structured as follows: in Section 2, we introduce the fundamental concepts; Section 3 elaborates on the system's architecture; Section 4 specifies the security framework; the proposed scheme is thoroughly described in Section 5; and its security analysis is presented in Section 6.A comparative analysis of performance is presented in Section 7; and Section 8 summarizes the conclusions of our study.

Preliminaries
The structure is distinguished by the presence of an additive cyclic group G 1 and a multiplicative cyclic group G 2 , each possessing an order of q, with q being a prime number.A bilinear map, denoted by e : G 1 × G 1 → G 2 , is defined by the following properties: Non-degeneracy: There exist P, Q ∈ G 1 such that e(P, Q) ̸ = 1 G 1 .
Computability: An efficient computational method exists for determining e(P, Q) for any given P and Q from their respective groups.
Bilinearity: For every pair of elements P, Q ∈ G 1 and integers a, b ∈ Z q , the map satisfies e(aP, bQ) = e(P, Q) ab .
This mapping is referred to as bilinear, as described in [48].
The mathematical problems and assumptions about bilinear mapping used in this paper are as follows: Definition 1. Decisional Diffie-Hellman Problem (DDHP): When presented with elements P, aP, bP, X ∈ G, verify if X is indeed abP.Here, P ∈ G 1 and a, b ∈ Z * q .
Definition 2. Decisional Diffie-Hellman Assumption (DDHA): Under the DDHA, it is assumed that the likelihood of any algorithm capable of operating within polynomial time successfully resolving the DDHP is minimal.
Definition 4. Computational Attack Algorithm Assumption (CAAA): Under the CAAA, it is assumed that the likelihood of any algorithm capable of running in polynomial time successfully resolving the CAAP is minimal.

System Model
The fundamental security prerequisites for the deployment of a signcryption scheme within WBAN are outlined as follows: (1) Confidentiality: this means that any unauthorized party, other than the authorized individual or entity, cannot access the data content.Even if an unauthorized user obtains the encrypted data, they cannot decipher the true content of the data.
(2) Authentication: this refers to the authentication of data sources or entities.
(3) Integrity: guaranteeing the integrity of data transmitted in the network, preventing illegal entities from tampering with or deleting query messages.
(4) Non-repudiation: ensuring that the sender of data cannot deny previous commitments or actions.
(5) Unforgeability: if the attacker can forge the patient's signature, the doctor will face obstacles in diagnosis and treatment, which may endanger the patient's life.Therefore, we need the signcryption scheme to be unforgeable under the adaptive chosen message attack.
(6) Anonymity of the signcryptor: in order to protect user privacy, no other entity apart from KGC can indeed ascertain the true identity of the signcryptor.
(7) Identity identifiability: while ensuring user privacy, KGC is capable of verifying and tracing the identity of the signcryptor to ensure the security and credibility of data transmission and usage.Meanwhile, other unauthorized entities are prevented from accessing this sensitive information.
(8) Public verifiability [18]: a third party is registered to affirm the legitimacy of the encrypted message, independent of the access to the sender's private key.
(9) Public ciphertext authenticity [18]: a third party can confirm the authenticity of the ciphertext without the need for decryption, allowing the receiver to discard invalid ciphertexts in advance, saving energy consumption and computation time, which is crucial for small devices.
The system model proposed in this paper is shown in Figure 2, which includes three entities: KGC, sender C, receiver U.

Security Model
Based on the security models proposed by Barbosa et al. [23], Zhou et al. [30] and Deng [49], we present a security model for CL-ASC, and give the following explanations.Against a Type I adversary A 1 , we have adopted the original security model proposed by Barbosa and Farshim, based on its notable advantage over another security model, namely that in the latter, in the public key replacement oracle, A 1 needs to provide the corresponding secret value when replacing the user's public key.Barbosa and Farshim's model demonstrates greater defensive capabilities.For a Type II adversary A 2 , our security model takes into account a malicious yet passive KGC as A 2 .At this time, A 2 can generate all public parameters and the master key during the initialization phase of the system, given that in practical scenarios, Type 2 adversaries also possess the capability to perform public key replacement attacks.Therefore, we allow A 2 to execute the public key replacement query in our security model, ensuring that the security model effectively defends against such threats.Furthermore, both Type I and Type II adversaries are capable of directly computing hash functions to obtain results.
Based on the above analysis, against indistinguishability under an adaptive chosen ciphertext attack and unforgeability under an adaptive chosen message attack, we present two types of adversaries.
A 1 : A 1 is a dishonest user who can replace the public key of any entity with a value of their own choice, but they do not have access to the secret master key.
A 2 : A 2 represents a malicious but passive KGC that generates all public parameters and master secret key and can perform public key replacement.
In addition, We introduce a super adversary, A, specifically targeting the anonymity of the signcryptor.A is a super adversary who possesses the capabilities of both A 1 and A 2 , meaning that A is endowed with the capacity to replace users' public keys and also has access to the master secret key, and can perform secret value queries.However, A is unable to access the list FI and cannot query the pseudo-identity of the target user.Definition 5.If the adversary cannot win the following game with a non-negligible probability in any polynomial time, then the security property of the CLSC scheme is said to satisfy indistinguishability under an adaptive chosen ciphertext attack (I ND − CCA 2 ).

Game 1:
The game between the adversary A 1 and the challenger B unfolds as follows: • Initialization phase: B obtains msk and params by executing the setup algorithm, then sends params to A 1 and maintains the secrecy of msk.

•
Query phase: For C, the queries Q pid (ID c ) and Q upk (PID c ) are executed before any other queries.For U, the query Q upk (ID u ) should be executed before any other queries.
A 1 performs the following types of queries: The reason for imposing this restriction is that it is unreasonable to expect the challenger to provide a partial private key for users who do not know a partial private key.Q sv (PID c /ID u ): A 1 sends a user identity PID c /ID u to B, B returns the secret value x c /x u to A 1 .When X c /X u is replaced, A 1 cannot perform this query.The reason for imposing this restriction is that it is unreasonable to expect the challenger to provide a secret value for users who do not know a secret value.
, where m is the plaintext intended for signcryption, ID u is the identity of U, PK u is the public key of U whose identity is ID u , PID c is the identity of C and PK c is the public key of C whose identity is PID c .B first executes the PPKG algorithm, SVS algorithm and FSKS algorithm using identity PID c to obtain SK c , and then executes the signcrypt algorithm using the tuple (σ, ID u , PK u , PID c , SK c ) to output the ciphertext σ as the reply to A 1 's query.When the PID c 's public key is replaced, B may not be able to access the full private key of PID c .In this case, the A 1 needs to provide the relevant information of the PID c .Q un (σ, ID u , PK u , PID c , PK c ): A 1 sends tuple (σ, ID u , PK u , PID c , PK c ) to B, where σ is the ciphertext intended for unsigncryption, ID u is the identity of U, PK u is the public key of U whose identity is ID u , PID c is the identity of C and PK c is the public key of C whose identity is PID c .B first executes the PPKG algorithm, SVS algorithm and FSKS algorithm using identity ID u to obtain SK u , and then executes the unsigncrypt algorithm using the tuple (σ, ID u , SK u , PID c , PK c ) to obtain the plaintext m or ⊥ as the reply to A 1 's query.When the ID u 's public key is replaced, B may not be able to access the full private key of ID u .In this case, the A 1 needs to provide the relevant information of the ID u .
The advantage of A 1 is defined as follows: The game between the adversary A 2 and the challenger B unfolds as follows: • Initialization phase: A 2 obtains msk and params by executing the setup algorithm, then sends them to B.
In this process, A 2 must meet the following conditions: (1) ID * u is an identity whose secret value has not been queried by A 2 .(2) A 2 is not allowed to replace the value of X * u .

•
Guess phase: After receiving σ * , A 2 performs a series of queries, but there are the following constraints: (1) A 2 is not allowed to operate The advantage of A 2 is defined as follows: Definition 6.If the adversary cannot win the following game with a non-negligible probability in any polynomial time, then the security property of the CLSC scheme is said to satisfy unforgeability under an adaptive chosen message attack (UF-CMA).

Game 3:
The game between the adversary A 1 and the challenger B unfolds as follows: • Initialization phase: Same as the initialization phase in Game 1.

Game 4:
The game between the adversary A 2 and the challenger B unfolds as follows: Definition 7. If the adversary cannot win the following game with a non-negligible probability in any polynomial time, then the CLSC scheme is said to be anonymous to the signcrypter.

Game 5:
The game between the super adversary A and the challenger B unfolds as follows: • Initialization phase: Same as the initialization phase in Game 2.
The advantage of A is as follows: Definition 8.If KGC can recognize the true identity of C in any ciphertext, then the CLSC scheme is identifiable.

New Scheme
• Setup: Given a security parameter µ, SP performs the subsequent steps: (1) Sets up a bilinear mapping e : where G 1 is an additive cyclic group, G 2 is a multiplicative cyclic group and (2) Selects a generator P of G 1 , and computes N = e(P, P).
(4) Selects the following secure hash functions (where (5) Randomly chooses a number δ ∈ Z * q and computes P pub = δP; let master secret key msk = {δ}.(6) Publishes the params params = {G 1 , G 2 , q, e, P, P pub , N, H 1 ∼ H 5 }.(2) After receiving the identity ID u of U, KGC performs the subsequent steps: (a) Randomly chooses r u ∈ Z * q , and calculates R u = r u P. (1) C randomly chooses x c ∈ Z * q , sets x c as its secret value.(2) U randomly chooses x u ∈ Z * q , sets x u as its secret value.• FSKS: (1) C sets the full private key SK c = (x c , d c ).
(2) U sets the full private key SK u = (x u , d u ).

• UPKG:
(1) C computes X c = x c P, and sets the public key PK c = (X c , R c ).
(2) U computes X u = x u P, and sets the public key PK u = (X u , R u ).• Signcrypt: Upon receiving a plaintext message m ∈ M, C performs the subsequent steps: (1) Calculates l u = H 2 (ID u , R u ).
(3) Verifies whether the equation e(ω, R c + l c P pub + ρX c ) = N holds.If the equation is valid, proceed to step 4. Otherwise, the signature is invalid; output ⊥. ( Correctness: Additionally, our scheme offers public verifiability and public ciphertext authenticity.During the initial three steps of Unsigncrypt algorithm, any third party can ascertain the legitimacy of the ciphertext σ without needing C's full private key or the message m.If the ciphertext σ is proven invalid, the receiver can immediately disregard it, thus avoiding further decryption steps.This method conserves computational resources and reduces energy consumption, which is particularly advantageous for small-scale devices by saving both energy and processing time.
From an ethical perspective, we have conducted an analysis of the ethical risks associated with the proposed scheme and its security model.This analytical framework primarily encompasses three core aspects: technical ethics, individual ethics, and social ethics.In terms of technical ethics, we have provided a more robust security model for the CL-ASC scheme.Our security model considers a malicious yet passive KGC as a Type II adversary and allows for such adversaries to replace public keys.Both Type I and Type II adversaries are capable of directly computing hash functions to obtain results.This significantly enhances the adversaries' capabilities, thereby making the scheme more secure.Under our enhanced security model, we will demonstrate that the CL-ASC scheme possesses indistinguishability and unforgeability.Consequently, applying our CL-ASC scheme for communication in WBNA will not result in message leakage.Furthermore, our CL-ASC scheme ensures the anonymity of the signcrypter, effectively safeguarding users' privacy.In individual ethics, the ciphertext of signcryption is encrypted with the sender's private key and the recipient's public key.To unsigncrypt, the recipient's private key and the sender's public key are required.This ensures that even if a participant is subjected to malicious attacks during data transmission, the transmitted data will not be leaked, thus avoiding the risk of individual ethics.In terms of social ethics: encryption measures are taken for users' private data during the communication process.When strictly implemented, our scheme can maximize the prevention of data leakage during transmission.

Security of the Scheme
In the security proofs below, the adversary is capable of directly computing the values of the hash function without necessitating a query to the challenger.

Lemma 1.
If the DDH problem is hard, our scheme is proven to be I ND − CCA 2 against the adversary A 1 in the SM.
Proof.Given the tuple (P, αP, βP, T), where α, β ∈ Z * q and α, β are unknown.The goal of B is to determine whether T is equal to αβP.
Initialization phase: B obtains msk and params = {G 1 , G 2 , q, e, P, P pub = δP, N = e(P, P), H 1 ∼ H 5 } by executing the setup algorithm, then sends params to A 1 and maintains the secrecy of msk.After the process above, A 1 and B are both unaware of α and β, but B is aware of δ, while A 1 is not.
Query phase: B sets ID ♢ as the challenge target identity.For C, A 1 must first execute Q pid (ID c ) and Q upk (PID c ) before any other queries.For U, A 1 must first execute Q upk (ID u ) before any other queries.There are eight empty tables, L UC , L UU , L RC , L RU , L KC , L KU , L VC and L VU , maintained by B. A 1 can conduct the following types of queries, and B simulates A 1 's queries as follows: Q pid (ID c ): When A 1 provides an identity ID c for a query, B executes the PIDG algorithm to output the PID c as A 1 's response.
Q upk (PID c ): B maintains a list L UC , which contains the tuple (PID c , X c , x c , R c , r c ).When A 1 provides an identity PID c for a query, if the PID c is on the the list L UC , B returns PK c as A 1 's response.Otherwise, PID c is queried as a new identity, B randomly chooses x c , r c ∈ Z * q , sets PK c = (x c P, r c P) as A 1 's response, and adds (PID c , x c P, x c , r c P, r c ) to the list L UC .
Q upk (ID u ): B maintains a list L UU , which contains the tuple (ID u , X u , x u , R u , r u ).When A 1 provides an identity ID u for a query, if the ID u is on the the list L UU , B returns PK u as A 1 's response.Otherwise, ID u is queried as a new identity, and B performs the subsequent steps: (1) If ID u = ID ♢ , B randomly chooses x ♢ ∈ Z * q , sets PK u = PK ♢ = (x ♢ P, αP) as A 1 's response, and adds (ID u , x ♢ P, x ♢ , αP, ∇) to the list L UU (where ∇ represents a null value).
(2) If ID u ̸ = ID ♢ , B randomly chooses x u , r u ∈ Z * q , computes PK u = (x u P, r u P) as A 1 's response, and adds (ID u , x u P, x u , r u P, r u ) to the list L UU .
R upk (PID c , PK c , PK ′ c ): B maintains a list L RC , which contains the tuple (PID c , PK c , PK ′ c ).When A 1 requests to replace the PID C 's public key PK C with PK ′ c , B updates PK c to PK ′ c , and adds (PID c , PK c , PK ′ c ) to the list L RC .R upk (ID u , PK u , PK ′ u ): B maintains a list L RU , which contains the tuple (ID u , PK u , PK ′ u ).When A 1 requests to replace the ID u 's public key PK u with PK ′ u , B updates PK u to PK ′ u , and adds (ID u , PK u , PK ′ u ) to the list L RU .Q ppk (PID c ): B maintains a list L KC , which contains the tuple (PID c , d c ).When A 1 provides an identity PID c for a query, B searches for (PID c , x c P, x c , r c P, r c ) in the list L UC , executes the PPKG algorithm, and outputs d c as A 1 's response, then adds (PID c , d c ) to the list L KC .
Q ppk (ID u ): B maintains a list L KU , which contains the tuple (ID u , d u ).When A 1 provides an identity PID c for a query, B performs the subsequent steps: (1) If ID u = ID ♢ , then B fails and terminates the process.
(2) If ID u ̸ = ID ♢ , B searches for (ID u , x u P, x u , r u P, r u ) in the list L UU , executes the PPKG algorithm to output d u as A 1 's response, and then adds (ID u , d u ) to the list L KU .
Q sv (PID c ): B maintains a list L VC , which contains the tuple (PID c , x c ).When A 1 provides an identity PID c for a query, B searches for (PID c , x c P, x c , r c P, r c ) in the list L UC , outputs x c as A 1 's response, and then adds (PID c , x c ) to the list L VC .
Q sv (ID u ): B maintains a list L VU , which contains the tuple (ID u , x u ).When A 1 provides an identity ID u for a query, B searches for (ID u , x u P, x u , r u P, r u ) in the list L UU , outputs x u as A 1 's response, and then adds (ID u , x u ) to the list L VU .
Q sc (m, ID u , PK u , PID c , PK c ): When A 1 provides tuple (m, ID u , PK u , PID c , PK c ) for a query, B performs as follows: (1) If PID c ∈ L RC , then PK c = (x c P, r c P) is replaced by B first executes the PPKG algorithm and FSKS algorithm using identity PID c to obtain SK c , and then executes the signcrypt algorithm with tuple (m, ID u , PK u , PID c , SK c ) to output the ciphertext σ as A 1 's response.
(2) If PID c / ∈ L RC , B first executes the PPKG algorithm and FSKS algorithm using identity PID c to obtain SK c , and then executes the signcrypt algorithm with tuple (m, ID u , PK u , PID c , SK c ) to output the ciphertext σ as A 1 's response.
Q un (σ, ID u , PK u , PID c , PK c ): When A 1 provides tuple (σ, ID u , PK u , PID c , PK c ) for a query, B performs as follows: (1) If ID u ∈ L RU , then PK u = (x u P, r u P) is replaced by B first executes the PPKG algorithm and FSKS algorithm using identity ID u to obtain SK u , and then executes the unsigncryption algorithm with tuple (σ, ID u , SK u , PID c , PK c ) to output the plaintext m or ⊥ as A 1 's response.
(2) If ID u / ∈ L RU and ID u ̸ = ID ♢ , B first executes the PPKG algorithm and FSKS algorithm using identity ID u to obtain SK u , and then executes the unsigncryption algorithm with tuple (σ, ID u , SK u , PID c , PK c ) to output the plaintext m or ⊥ as A 1 's response.
(3) If ID u / ∈ L RU and ID u = ID ♢ , B fails and terminates the process.Challenge phase: A 1 selects two distinct messages m 0 , m 1 of the same length and subsequently transmits the tuple (m 0 , m Guess phase: A 1 performs various queries adaptively as in the query phase and follows the rules of Game 1.After that, A 1 outputs its guess ξ ′ ∈ {0, 1}.
Solving the DDH problem: B returns "1" , if ξ ′ = ξ.Otherwise, B outputs "0".If T = αβP, then This means that σ * is a true ciphertext.Therefore, the advantage of A 1 in distinguishing symbol ξ is ε, that is to say: then σ * is not a true ciphertext.This implies that for this σ * , the distribution of ξ = 0 and ξ = 1 is the same.Therefore, A 1 cannot have any advantage in identifying symbol ξ, that is to say: 2 .Probability: Let q UU , q RU , q KU and q UN represent the number of A 1 executes Q upk (ID u ), R upk (ID u ), Q ppk (ID u ) and Q un (σ, ID u , PK u , PID c , PK c ), respectively.Next, we will calculate the probability of B successfully solving a given DDH problem.To facilitate understanding, we defined the following three events: Based on the analysis, we can obtain the following results: Then, the following results can be derived: Consequently, if A 1 can distinguish symbol ξ with the advantage ε , then B can resolve the DDH problem with a probability of ε q UU e − q UN q UU .Lemma 2. If the DDH problem is hard, our scheme is proven to be I ND − CCA 2 against the adversary A 2 in the SM.
Proof.Given the tuple (P, αP, βP, T), where α, β ∈ Z * q and α, β are unknown.The goal of B is to determine whether T is equal to aβP.
Initialization phase: A 2 obtains msk and params = {G 1 , G 2 , q, e, P, P pub = δP, N = e(P, P), H 1 ∼ H 5 } by executing the setup algorithm, then sends them to B. After the process above, neither A 2 nor B knows α and β, but A 2 and B know δ.
Query phase: B sets ID ♢ as the challenge target identity.For C, A 2 must first execute Q pid (ID c ) and Q upk (PID c ) before any other queries.For U, A 2 must first execute Q upk (ID u ) before any other queries.There are eight empty tables, L UC , L UU , L RC , L RU , L KC , L KU , L VC and L VU , maintained by B. A 2 can conduct the following types of queries, and B simulates A 2 's queries as follows: Q pid (ID c ): Similar to Lemma 1. Q upk (PID c ): Similar to Lemma 1.
Q upk (ID u ): B maintains a list L UU , which includes the the tuple (ID u , X u , x u , R u , r u ).When A 2 provides an identity ID u for a query, if the ID u is on the the list L UU , B returns PK u as A 2 's response.Otherwise, ID u is queried as a new identity, B performs the subsequent steps: (1) If ID u = ID ♢ , B randomly chooses r ♢ ∈ Z * q , sets PK u = PK ♢ = (αP, r ♢ P) as A 2 's response, and adds (ID ♢ , αP, ∇, r ♢ P, r ♢ ) to the list L UU (where ∇ represents a null value).
(2) If ID u ̸ = ID ♢ , B randomly chooses x u , r u ∈ Z * q , computes PK u = (x u P, r u P) as A 2 's response, and adds (ID u , x u P, x u , r u P, r u ) to the list L UU .
R upk (PID c , PK ′ c ): Similar to Lemma 1. R upk (ID u , PK ′ u ): Similar to Lemma 1. Q ppk (PID c ): Similar to Lemma 1. Q ppk (ID u ): B maintains a list L KU , which contains the tuple (ID u , d u ).When A 2 provides an identity ID u for a query, B searches for (ID u , x u P, x u , r u P, r u ) in the list L UU , and then executes PPKG algorithm to output the tuple d u .After that, B adds (ID u , d u ) to the list L KU .
Q sv (ID u ): B maintains the list L VU , which contains the tuple (ID u , x u ).When A 2 provides an identity ID u for a query, B performs the subsequent steps: (1) If ID u = ID ♢ , then B fails and terminates the process.
(2) If ID u ̸ = ID ♢ , B searches for (ID u , x u P, x u , r u P, r u ) in the list L UU , outputs x u as A 2 's response, and then adds (ID u , x u ) to the list L VU .
Q sc (m, ID u , PK u , PID c , PK c ): Guess phase: A 2 performs various queries adaptively, as in the query phase, and follows the rules of Game 2. After that, A 2 outputs its guess ξ ′ ∈ {0, 1}.
Solving the DDH problem: B returns "1", if ξ ′ = ξ.Otherwise, B outputs "0".If T = αβP, then This means that σ * is a true ciphertext.Therefore, the advantage of A 2 in distinguishing symbol ξ is ε, that is to say: If T ̸ = αβP, then σ * is not a true ciphertext.This implies that for this σ * , the distribution of ξ = 0 and ξ = 1 is the same.Therefore, A 2 cannot have any advantage in identifying symbol ξ, that is to say: 2 .Probability: Let q UU , q RU , q VU and q UN represent the number of A 2 executes Q upk (ID u ), R upk (ID u ), Q sv (ID u ) and Q un (σ, ID u , PK u , PID c , PK c ), respectively.Next, we will calculate the probability of B successfully solving a given DDH problem.To facilitate understanding, we defined the following three events: Based on the analysis, we can obtain the following results: Then, the following results can be derived: Consequently, if A 2 can distinguish symbol ξ with the advantage ε , then B can resolve the DDH problem with a probability of ε q UU e − q UN q UU .Theorem 1.If the DDH problem is hard, our scheme is proven to be I ND − CCA 2 in the SM.
Proof.From Lemmas 1 and 2, we can see that the conclusion is correct.

Lemma 3.
If the CCA problem is hard, our scheme is proven to be UF-CMA against the adversary A 1 in the SM.
Proof.Given the tuple (P, αP).The goal of B is to output the tuple (γ, 1 α+γ P).Initialization phase: Same as the initialization phase in Lemma 1. Query phase: B sets PID ♢ as the challenge target identity.A 1 can conduct the following types of queries, and B simulates A 1 's queries as follows: Q pid (ID c ): Similar to Lemma 1. Q upk (PID c ): B maintains a list L UC , which includes the tuple (PID c , X c , x c , R c , r c ).When A 1 provides an identity PID c for a query, if the PID c is on the list L UC , B returns PK c as A 1 's response.Otherwise, PID c is queried as a new identity, B performs the subsequent steps: (1) If PID c = ID ♢ , B randomly chooses x ♢ ∈ Z * q , sets PK c = PK ♢ = (x ♢ P, αP) as A 1 's response, and adds the tuple (PID ♢ , x ♢ P, x ♢ , αP, ∇) to the list L UC (where ∇ represents a null value).
(2) If PID c ̸ = ID ♢ , B randomly chooses x c , r c ∈ Z * q , sets PK c = (x c P, r c P) as A 1 's response, and adds the tuple (PID c , x c P, x c , r c P, r c ) to the list L UC .
Q upk (ID u ): B maintains a list L UU , which contains the tuple (ID u , X u , x u , R u , r u ).When A 1 provides an identity ID u for a query, if the ID u is on the the list L UU , B returns PK u as A 1 's response.Otherwise, ID u is queried as a new identity, B randomly chooses x u , r u ∈ Z * q , sets PK u = (x u P, r u P), and adds (ID u , x u P, x u , r u P, r u ) to the list L UU .R upk (PID c , PK ′ c ): Similar to Lemma 1. R upk (ID u , PK ′ u ): Similar to Lemma 1. Q ppk (PID c ): B maintains a list L KC , which includes the tuple (PID c , d c ).When A 1 provides an identity PID c for a query, B performs the subsequent steps: (1) If PID c = PID ♢ , then B fails and terminates the process.
(2) If PID c ̸ = PID ♢ , B searches for (PID c , x c P, x c , r c P, r c ) in the list L UC , executes the PPKG algorithm to output d c as A 1 's response, and then adds (PID c , d c ) to the list L UC .
) for a query, B performs as follows: (1) If PID c ∈ L RC , then PK c = (x c P, r c P) is replaced by B first executes the PPKG algorithm and FSKS algorithm using identity PID c to obtain SK c , and then executes the signcrypt algorithm with tuple (m, ID u , PK u , PID c , SK c ) to output the ciphertext σ as A 1 's response.
(2) If PID c / ∈ L RC and PID c ̸ = PID ♢ , B first executes the PPKG algorithm and FSKS algorithm using identity PID c to obtain SK c , and then executes the signcrypt algorithm with tuple (m, ID u , PK u , PID c , SK c ) to output the ciphertext σ as A 1 's response.
(3) If PID c / ∈ L RC and PID c = PID ♢ , B fails and terminates the process.Q un (σ, ID u , PK u , PID c , PK c ): When A 1 provides tuple (σ, ID u , PK u , PID c , PK c ) for a query, B performs as follows: (1) If ID u ∈ L RU , then PK u = (x u P, r u P) is replaced by B first executes the PPKG algorithm and FSKS algorithm using identity ID u to obtain SK u , and then executes the signcrypt algorithm with tuple (σ, ID u , SK u , PID c , PK c ) to output the plaintext m or ⊥ as A 1 's response.
(2) If PID c / ∈ L Ru , B first executes the PPKG algorithm and FSKS algorithm using identity ID u to obtain SK u , and then executes the signcrypt algorithm with tuple (σ, ID u , SK u , PID c , PK c ) to output the plaintext m or ⊥ as A 1 's response.
Solving CCA problem: B proceeds with the following steps: (1) Searches for Therefore, (γ, ω * ) serves as the response to the CCA problem.Probability: Let q UC , q RC , q KC and q SC represent the number of A 1 executes Q upk (PID c ), R upk (PID c ), Q ppk (PID c ) and Q sc (σ, ID u , PK u , PID c , PK c ), respectively.Next, we will calculate the probability of B successfully solving a given CCA problem.To facilitate understanding, we defined the following three events: Based on the analysis, we can obtain the following results: Then, the following results can be derived: Consequently, if A 1 can forge a real ciphertext with advantage ε, then B can resolve the DDH problem with a probability of ε q UC e − q SC q UC .Lemma 4. If the CCA problem is hard, our scheme is proven to be UF-CMA against the adversary A 2 in the SM.
Proof.Given the tuple (P, αP).The goal of B is to output the tuple (γ, 1 α+γ P) .Initialization phase: Same as the initialization phase in Lemma 2. Query phase: B sets PID ♢ as the challenge target identity.A 2 can conduct the following types of queries, and B simulates A 1 's queries as follows: Q pid (ID c ): Similar to Lemma 1. Q upk (PID c ): B maintains the list L UC , which includes the tuple (PID c , X c , x c , R c , r c ).When A 2 provides an identity PID c for a query, if the PID c is on the list L UC , B returns PK c as A 2 's response.Otherwise, PID c is queried as a new identity, B performs the subsequent steps: (1) If PID c = ID ♢ , B randomly chooses r ♢ ∈ Z * q , sets PK c = PK ♢ = (αP, r ♢ P) as A 2 's response, and adds the tuple (PID ♢ , αP, ∇, r ♢ P, r ♢ ) to the list L UC (where ∇ represents a null value).
(2) If PID c ̸ = ID ♢ , B randomly chooses x c , r c ∈ Z * q , set PK c = (x c P, r c P) as A 2 's response, and adds the tuple (PID c , x c P, x c , r c P, r c ) to the list L UC .
Q upk (ID u ): Similar to Lemma 3. R upk (PID c , PK ′ c ): Similar to Lemma 1. R upk (ID u , PK ′ u ): Similar to Lemma 1. Q ppk (PID c ): Similar to Lemma 1. Q ppk (ID u ): Similar to Lemma 3. Q sv (PID c ): B maintains the list L VC , which includes the tuple (PID c , x c ).When A 2 provides an identity PID c for a query, B performs the subsequent steps: (1) If PID c = PID ♢ , then B fails and terminates the process.
(2) If PID c ̸ = PID ♢ , B searches for (PID c , x c P, x c , r c P, r c ) in the list L VC , outputs x c as A 2 's response, and then adds (PID c , x c ) to the list L VC .
Q sv (ID u ): Therefore, (γ, ω * ) serves as the response to the CCA problem.Probability: Let q UC , q RC , q VC and q SC represent the number of A 2 executing Q upk (PID c ), R upk (PID c ), Q sv (PID c ) and Q sc (σ, ID u , PK u , PID c , PK c ), respectively.Next, we will calculate the probability of B successfully solving a given CCA problem.To facilitate understanding, we defined the following three events: π 1 : A 2 has neither operated Q sv (PID ♢ ) nor replaced the value of X ♢ c (αP).π 2 : A 2 has not failed in Q sc ().π 3 : PID * c = PID ♢ .Because if A 2 replaces the public key of PID c , it cannot perform Q sv () for PID c , therefore L RC ∩ L VC = ∅.Based on the analysis, we can obtain the following results: Then, the following results can be derived: Consequently, if A 2 can forge a real ciphertext with advantage ε, then B can resolve the DDH problem with a probability of ε q UC e − q SC q UC .Theorem 2. If the CCA problem is hard, our scheme is proven to be UF-CMA in the SM.
Proof.From Lemmas 3 and 4, we can see that the conclusion is correct.
Theorem 3. If the DDH problem is hard, our scheme is proven to be anonymous to the signcrypter against the super adversary A in the SM.
Proof.Given the tuple (P, αP, βP, T), where α, β ∈ Z * q and α, β are unknown.The goal of B is to determine whether T is equal to aβP.
Initialization phase: Same as the initialization phase in Lemma Solving the DDH problem: B returns "1", if ξ ′ = ξ.Otherwise, B outputs "0".If T = αβP, then This means that PID * ξ is a true pseudo-identity.Therefore, the advantage of A in distinguishing symbol ξ is ε, that is to say: If T ̸ = αβP, then PID * ξ is not a true pseudo-identity.This implies that for this σ * , the distribution of ξ = 0 and ξ = 1 is the same.Therefore, A cannot have any advantage in identifying symbol ξ, that is to say: During the proof process, C will not fail.Consequently, if A can distinguish symbol ξ with the advantage ε , then B can resolve the DDH problem with a probability of ε.Theorem 4. Our scheme is identifiable.
(3) Outputs the true identity ID c of C. Thus, for any ciphertext, the KGC can identify the true identity of C. So our scheme is identifiable.

Security Analysis
Firstly, we analyze the security properties and functionalities of our scheme.Theorem 1 indicates that adversaries are unable to obtain valid messages, thus ensuring that our scheme can achieve confidentiality.Theorem 2 demonstrates that no adversary can forge legitimate signatures.Therefore, our scheme can simultaneously satisfy confidentiality, integrity, authentication, and non-repudiation.Theorem 3 indicates that our scheme provides anonymity for the signcryptor.Theorem 4 demonstrates that our scheme is also identity identifiable.Furthermore, our scheme is characterized by public verifiability, public ciphertext authenticity, and is classed as certificateless cryptography.
Secondly, compare the security properties and functional of our scheme with those of the schemes in [28,30,32,40,46,[49][50][51].The comparison results are shown in Table 1, where SM represents the standard model, ROM represents the random oracle model, √ represents the scheme compliance attribute, × represents the scheme non-compliance attribute, andrepresents unknown.As shown in Table 1, our scheme satisfies the four security properties of confidentiality, integrity, authentication, non-repudiation.These properties have been proven within the standard model.Since our security model has been enhanced, our scheme stands out as the most secure among all schemes.Furthermore, compared to other schemes, only our scheme concurrently realizes all four functions: anonymity of the signcryptor, identity identifiability, public verifiability, and public ciphertext authenticity, while incorporating a certificateless design.Notably, the anonymity of the signcryptor and identity identifiability can be proven in the standard model.Therefore, our scheme is not only more secure but also has more comprehensive functionalities.

Efficiency Analysis
Moving forward, we proceed to compare the computational expenses associated with the previously discussed schemes.To facilitate the comparison, we adopt the computation time of the scheme by He et al. [52] as the benchmark.The relevant operations were implemented using the well-known cryptographic library (MIRACL) on a smartphone (Samsung Galaxy S5 G9001, Qualcomm Snapdragon 801 Quad-core 2.5 GHz Krait 400, GPU Adreno 330, 16GB 2GB RAM, Android 4.4.2KitKat, Samsung Electronics, Seoul, Republic In the scheme [30], the computational overhead of the signcryption algorithm, unsigncryption algorithm, and the total are 3T  Based on Figure 3 and the analysis above, the computational cost for unsigncryption in our scheme is lower than all other schemes.While the schemes [30,32,50,51] have a lower computational cost for signcryption than ours, they suffer from a lack of critical functionalities.Specifically, schemes [30,32] do not provide anonymity of the signcrypter, identity identifiability, public verifiability, and public ciphertext authenticity.Additionally, schemes [50,51] also lack anonymity of the signcrypter and identity identifiability.In contrast, our scheme maintains a balance between computational efficiency, the essential security and critical functionalities.In terms of total cost, the total cost of our scheme is the lowest, and it can be observed that the total computational overhead for our scheme is approximately 47.48% of the scheme [28], 42.37% of the scheme [40], 61.71% of the scheme [30], 41.82% of the scheme [53], 41.20% of the scheme [46], 83.16% of the scheme [49], 54.72% of the scheme [32], 80.02% of the scheme [51], and 96.24% of the scheme [50].
Next, we compare the storage costs of the schemes, as shown in Table 4 and   The size of the system parameters in the scheme [28,30,32,40,46,[49][50][51]53] The length of the ciphertext in the scheme [28,30,32,40,46,[49][50][51]53], and our scheme are  Based on Figure 4 and the previous detailed analysis, our scheme exhibits a notable advantage in ciphertext length, surpassing all other schemes except for scheme [51].Nevertheless, it must be pointed out that while scheme [51] is relatively close to us in ciphertext length, it fails to offer the two crucial features of anonymity of the signcrypter and identity identifiability.Furthermore, the security proof of scheme [51] relies on the random oracle model, which to some extent undermines its universality and reliability in practical applications.Notably, in terms of the length of system parameters, our scheme achieves the shortest length, which fully demonstrates its superiority in efficiency.It can be observed that the system parameter size of our scheme is approximately 5.77% of the scheme [28], 23.08% of the scheme [40], 100% of the scheme [30], 23.08% of the scheme [53], 15.79% of the scheme [46], 60.76% of the scheme [49], 100% of the scheme [32], 150% of the scheme [51], and 75% of the scheme [50].The ciphertext size of our scheme is approximately 77.08% of the scheme [28], 46.25% of the scheme [40], 38.54% of the scheme [30], 33.04% of the scheme [53], 28.66% of the scheme [46], 69.81% of the scheme [49], 52.86% of the scheme [32], 73.27% of the scheme [51], and 69.81% of the scheme [50].
In conclusion, our CL-ASC scheme has demonstrated all crucial security properties in the standard model, and it is also more comprehensive in terms of functionality, particularly in offering anonymity of the signcrypter and identity identifiability.With the exception of the scheme [51], which holds a slight advantage in terms of system parameter size, our scheme outperforms all other known schemes in both computational overhead and storage costs.Consequently, compared to existing schemes, our CL-ASC scheme boasts lower computational and storage costs while maintaining a higher level of security.This makes it an ideal and cost-effective communication solution for WBANs.
The ethical and regulatory issues surrounding signcryption schemes primarily manifest in the following aspects: Technical Ethics: Signcryption schemes require ensuring that the technology, in its design and implementation, is not only secure and reliable but also respects user privacy, is transparent and auditable, and adheres to ethical and legal standards.This includes utilizing robust encryption algorithms to safeguard data, adopting decentralized storage to mitigate privacy risks, implementing data minimization principles to reduce the likelihood of breaches, and ensuring transparency to build trust.Social Ethics: Signcryption schemes, which can be employed to protect the communication and transactions of individuals or organizations, must be designed with social interests and public safety in mind.For instance, it should not be permissible for encryption technology to be utilized in support of illegal activities or to evade legal oversight.Individual Ethics: In the design of signcryption schemes, it is imperative to respect and protect the personal privacy of users.This implies that the processes of generating, storing, and utilizing en-cryption keys must ensure the confidentiality and privacy of user data.Transparency and Accountability: The provider of the signcryption scheme should clarify its responsibilities in data protection and transparently explain its data processing and protection measures to users and interested parties.Legal and Regulatory Compliance: Signcryption schemes must adhere to relevant legal and regulatory requirements, including data protection laws, electronic communication laws, and other pertinent regulations.User Education and Awareness: Users of signcryption technology should be educated about their rights and responsibilities, including how to safely use encryption tools and protect their keys.In summary, the ethical and regulatory issues surrounding signcryption schemes encompass various aspects, such as privacy protection, transparency and accountability, legal and regulatory compliance, and technological neutrality and balance, as well as user education and awareness enhancement.Addressing these issues necessitates concerted efforts and collaboration among technical designers, providers, users, and regulatory bodies.

Conclusions
Designing a secure and economical communication scheme specifically for Wireless Body Area Networks (WBANs) is a critical issue that needs urgent attention.Signcryption technology has emerged as an ideal choice for WBAN due to its ability to simultaneously achieve confidentiality, authentication, integrity, and non-repudiation at a relatively low cost.However, while the recently proposed CLSC schemes possess their own advantages, they also suffer from several drawbacks, including reliance on the ROM for security proofs, lack of public verifiability, public ciphertext authenticity and anonymity, and high computational costs.To address these issues, this paper first introduces a novel CL-ASC scheme.Second, it establish an enhanced security model for the CL-ASC scheme.Furthermore, it proves that our CL-ASC scheme possesses indistinguishability, unforgeability, and anonymity of the signcrypter within the standard model.Finally, a comparative analysis of the performance of several CLSC schemes reveals that our CL-ASC scheme has lower computational and storage costs and superior security.Consequently, our CL-ASC scheme offers a more ideal and economical communication solution tailored for WBAN applications.

Figure 2 .
Figure 2. Schematic of system model.• KGC: Responsible for setting system parameters and publishing them publicly.Additionally, it is also responsible for generating pseudo-identities for sender C and generating partial private keys for both sender C and receiver U. • C: Uses their own private key to perform signcryption on the data m, generates the ciphertext σ of m, and sends the ciphertext σ to B. • U: Decrypts the ciphertext Upon receiving it, using their own private key to obtain the data m.The CL-ASC scheme consists of eight distinct algorithms, each of which is delineated as follows: • Setup(µ): Input parameter µ for security; KGC generates the system parameters params and master secret key msk.Then KGC has the public params, and secretly holds msk.• PIDG(ID c , params): Input the real identity ID c of C; KGC generates a pseudo-identity PID c of C, and sends it to C. • PPKG(ID u /PID c , params, msk): Upon receiving the identity ID u of U (or the pseudoidentity PID c of C), KGC generates the partial private key d u (or d c ) of U (of C) and transmits it securely to U (or C). • SVS(ID u /PID c , params): U (or C) sets x u (or x c ) as its secret value.• FSKS(ID u /PID c , params, x u /x c , d u /d c ): U (or C) sets its full private key SK u (or SK c ) asSK u = (x u , d u ) (or SK c = (x c , d c )). • UPKG(ID u /PID c , params, X u /X c , R u /R c ): U (or C) sets its public key as PK u = (X u , R u ) (or PK c = (X c , R c )). • Signcrypt(m,ID u , PK u , PID c , SK c , params): Takes params, message m, U's identity ID u , U's public key PK u , C's pseudo-identity PID c and C's full private key SK c as input; C returns the ciphertext σ and transmits it to U. • Unsigncrypt(σ, ID u , SK u , PID c , PK c , params): Takes params, ciphertext σ, U's identity ID u , U's full private key SK u , C's pseudo-identity PID c and C's public key PK c as input; U returns the corresponding plaintext m or ⊥.
params): Takes params, message m, U's identity ID u , U's public key PK u , C's pseudo-identity PID c and C's full private key SK c as input; C returns the ciphertext σ and transmits it to U. • Unsigncrypt(σ, ID u , SK u , PID c , PK c , params): Takes params, ciphertext σ, U's identity ID u , U's full private key SK u , C's pseudo-identity PID c and C's public key PK c as input; U returns the corresponding plaintext m or ⊥.
• PIDG: KGC sets up a list FI, which contains the tuple (PID c , e c , E c , f c , F c ). Upon receiving an actual identity ID c ∈ Ω, KGC performs the subsequent steps:(1) Randomly chooses e c , f c ∈ R Z * q , and calculatesE c = e c P, F c = f c P .(2) Computes △C = e c f c δP, PID c = ID c ⊕ H 1 (△C, E c , F c ). (3) Sends the pseudo-identity PID c to C. (4) Adds the tuple (PID c , e c , E c , f c , F c ) to the list FI. • PPKG: (1) After receiving the pseudo-identity PID c of C, KGC performs the subsequent steps: (a) Randomly chooses r c ∈ Z * q , and calculates R c = r c P. (b) Calculates l c = H 2 (PID c , R c ), d c = r c + l c δ. (c) Sends (R c , d c ) to C via a secure channel.
) C can confirm d c 's validity by verifying whether the equation d c P = R c + l c P pub holds.If the equation holds, then the partial private key is valid.Otherwise, the partial private key is invalid.(4) U can confirm d u 's validity by verifying whether the equation d u P = R u + l u P pub holds.If the equation holds, then the partial private key is valid.Otherwise, the partial private key is invalid.• SVS: ) Calculates ω = 1 d c +ρx c P. (8) Generates σ = (θ, K, ω) as the ciphertext.(9) Transmits σ to U. • Unsigncrypt: Upon receiving the tuple σ = (θ, K, ω), U performs the subsequent steps: (1) Calculates l c = H 2 (PID c , R c ).

Figure 4 .
Let |G 1 |, |G 2 |, |Z * q | denote the size of elements in G 1 , G 2 and Z * q , respectively.Accordingly, we have |G 1 | = |G 2 | = 128 bytes, and |Z * q | = 20 bytes.The size of the output produced by the hash function is denoted as η = 40 bytes, the output size of the identity information is denoted as δ = 8 bytes, and the attribute size is denoted as τ.Let us assume τ = δ = 8 bytes.

•
Challenge phase: A 1 selects two distinct messages m 0 , m 1 of the same length and subsequently transmits the tuple (m 0 , m 1 , ID * u , PK * u , PID * c , PK * c ) to B, where ID * u is the identity of U, PK * u is the public key of U whose identity is ID * u , PID * c is the identity of C and PK * c is the public key of C whose identity is PID * c .B randomly chooses a bit ξ ∈ {0, 1} and executes the signcryption algorithm using the tuple (m ξ , ID * u , PK * u , PID * c , PK * c ) to obtain the ciphertext σ * of m ξ .Then, B sends σ * to A 1 .In this process, A 1 must meet the following conditions: (1) ID * u is an identity whose partial private key has not been queried by A 1 .(2) A 1 cannot replace the value of R * u .
• Guess phase: After receiving σ * , A 1 performs a series of queries, but there are the following constraints: PID * c is the identity of C and PK * c is the public key of C whose identity is PID * c .B randomly chooses a bit ξ ∈ {0, 1} and executes the signcryption algorithm using the tuple • Query phase: A 2 performs various queries similar to Game 1. • Challenge phase: A 2 selects two distinct messages m 0 , m 1 of the same length and subsequently transmits the tuple (m 0 , m 1 , ID * u , PK * u , PID * c , PK * c ) to B, where ID * u is the identity of U, PK * u is the public key of U whose identity is ID * u ,

•
Query phase: A 1 performs various queries similar to Game 1. • Forgery phase: A 1 outputs a new tuple (σ * , ID * u , PK * u , PID * c , PK * c ), where σ * is a ciphertext, ID * u is the identity of U, PK * u is the public key of U whose identity is ID * u , PID * c is the identity of C and PK * c is the public key of C whose identity is PID * c .A 1 wins Game 3 if the subsequent conditions are met: (1) In the process of running the unsigncryption algorithm with the tuple (σ * , ID * u , SK * u , PID * c , PK * c ), B does not output ⊥. (2) A 1 was not allowed to operate Q ppk (PID * c ). (3) A 1 was not allowed to replace the value of R * c .(4) A 1 was not allowed to acquire σ * through running Q sc (m * , ID * u , PK * u , PID * c , PK * c ), where m * represents the plaintext that corresponds to σ * .The advantage of A 1 is defined as follows: 3) A 2 was not allowed to replace the value of X * c .(4) A 2 was not allowed to acquire σ * through running Q sc (m • Initialization phase: Same as the initialization phase in Game 2. • Query phase: A 2 performs various queries similar to Game 1. • Forgery phase: A 2 outputs a new tuple (σ * , ID * u , PK * u , PID * c , PK * c ), where σ * is a ciphertext, ID * u is the identity of U, PK * u is the public key of U whose identity is ID * u , PID * c is the identity of C and PK * c is the public key of C whose identity is PID * c .A 2 wins Game 4 if the subsequent conditions are met: (1) In the process of running the unsigncryption algorithm with the tuple (σ * , ID * u , SK * u , PID * c , PK * c ), B does not output ⊥. (2) A 2 was not allowed to operate Q sv (PID * c ). (* , ID * u , PK * u , PID * c , PK * c ), where m * represents the plaintext that corresponds to σ * .The advantage of A 2 is defined as follows: Similar to Lemma 1. Q un (σ, ID u , PK u , PID c , PK c ): Similar to Lemma 1.Challenge phase: A 2 selects two distinct messages m 0 , m 1 of the same length and subsequently transmits the tuple (m 0 , m 1 , ID * u , PK * u , PID * c , PK * c ) to B. B performs the subsequent steps: In Situation I, if ID * u ̸ = ID ♢ , B randomly chooses ξ ∈ {0, 1} and performs Q sc (m ξ , ID * u , PK * u , PID * c , PK * c ) to output the ciphertext σ * to A 2 .